OU fields deprecated in Sectigo certificates as of 1 July

26 January 2022

As of July 1, 2022, Sectigo will stop using the OU fields in its certificates. This change is the result of a policy change by the CA/Browserforum, which no longer allows the use of the OU field in its guidelines as of September 1, 2022.

What is the OU field?

OU stands for Organizational Unit, this is a field in the Subject information in an SSL certificate. In certificates with company data (organization - and extended validation) the Subject part of a certificate contains company data information about the organization to which the certificate was issued. In addition to an O field in which the organization name is specified, you will also find an OU field. This field is intended to indicate a specific department of that organization.

What is the cause?

The CA/Browser (CA/B) Forum recently passed the SC47v2 ballot, making OU fields against the guidelines effective September 1, 2022. The OU field is mainly used internally at organizations for authentication, for example. This makes it difficult for a CA to verify these values with reliable, external sources – as is expected of them. For this reason, in 2019 the allowed use of the OU field was already limited to only the organization-related information. In practice, however, this proved difficult to check and assess. Removing the field resolves this issue.

What is the impact?

This change affects certificates containing corporate data:

  • Extended Validation (EV) and Organization Validation (OV) SSL
  • Standard and EV code signing certificates

Use of the OU field is optional; most certificates do not contain OU information and most enterprises do not have technical or process requirements based on this field. This change should not affect such use cases and enterprises.

Customers using the OU field should be aware that any processes or systems that rely on information in the OU field will need to be modified. For example, some applications use the OU field as a check value or identifier, such as apps communicating with a server. This will require adjustments in the configuration.

When exactly does this apply?

In anticipation of the fact that the CA/B forum will no longer allow the use of the OU field in newly issued certificates from 1 September, Sectigo will no longer issue the above-mentioned certificates with an OU field from 1 July 2022. Certificates already issued with an OU field remain valid during their term. If you reissue a certificate with an OU field after July 1, it will be reissued without an OU field.

Do you have questions? Then please contact us!

point up